Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 27 replies
  • Answers 2 answers
  • Subscribers 30 subscribers
  • Views 3212 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED behind a Fritzbox does not set up a VPN

Nomics Klinikum

Hello,

we support our customer with the following installation.

Two XGS 2100 are installed central inside the DMZ as HA clusters.  An external location shall be connected via a RED device. The configuration from the SD 20 RED device is transparent/split because the RED muste be integrated in an exiting network.

The RED device is connect to the internet via DSL-Router from AVM (Fritzbox). DHCP is provided in this external network from the Fritzbox. The ports TCP/UDP 3400 and TCP/UDP 3410 are open on the firewall at the central side. The RED device connect to the XGS-Cluster out of our test-Lab without any problems. In the test-lab the RED device was located behind a linux firewall. After successfully testing, the RED device is deployed at the external locatioon. But there the RED does not start the tunnel. The LEDs internet and router are green, the system LED is red.

After this failure, we also installed a Fritzbox in front of the RED in the test lab. The tunnel didn't come up here either. We changed the configuration from the Fritzbox several times, but the RED don'start the tunnel. As I understand it, the Fritzbox does only NAT and the tunnel must therefore start without any problems.

I open a case and on the same day we received the question if Telnet against red.astaro.com 3400 was possible. We answered with yes, but since this mail we received no other reaction from the sophos support. 

So we did some debbugging on the fritzbox and we see some packets with "bad certificate" and we see this also on the XGS inside the red.log

Thu Oct 20 10:17:25 2022Z REDD ERROR: server: Can not do SSL handshake on Socket accept from '88.68.185.204': SSL accept attempt failed
Thu Oct 20 10:17:27 2022Z REDD ERROR: server: Can not do SSL handshake on Socket accept from '88.68.185.204': SSL accept attempt failed error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

We have communicated the new findings to Sophos Support, but unfortunately no reaction. I have read a lot of articels, but I does not found a practical solutiuon regarding the above failure. Since there is no response from Sophos support since some days, I would like to ask here what we can do to solve the problem.

regards

Rolf



This thread was automatically locked due to age.
  • 0 in reply to dirkkotte

    Hello Dirk,

    which ip-range do you mean? In front of the RED we have the network 10.100.100.0/24. The Fritzbox is the dhcp server in this network and so the RED received his IP-addresses from the Fritzbox. One ip-address for the WAN-Interface, one for the LAN-Interface and also one ip-address for the tunnel ip-address.

    The RED has Operatoion mode transparent/split and if I configure this network as split-network, the tunnel does not come up. If i do not configure any split-network the tunnel comes up.

    As I say, there are some open questions inside this case.

    Do you have an idea regarding the split-network?

    Rolf

  • 0 in reply to Nomics Klinikum

    What do you put in "split networks"? What do you mean by "this network"?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to jprusch

    Hello Phillip,

    currently I have nothing configured for the split-network. I I configure the network 10.100.100.0/24 as split-network, the tunnel does not come up.

    Rolf

  • 0 in reply to Nomics Klinikum

    You have to configure the network behind UTM you wish to reach from RED device as split-network.

    If you have 10.100.100.0/24 behind the RED and configure 10.100.100.0/24 as split-network which the RED should reach over the UTM ... these networks overlap (or be the same) and the tunnel isn't established.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Hello Dirk,

    yes, you are right. I tried this also, but if I configure the split-network with 192.168.0.0/16 (these are the networks behind the UTM) the tunnel comes up. I assumed that the split network would then be routed or bridged via the RED in the direction of UTM, so that all end devices in the network 10.100.100.0/24 could reach the central network 192.168.0.0/16 if required. That doesn't work either, or there is another problem in the configuration.

    Currently I have to configure static routes for the networks 192.168.0.0/16 on the end devices. Without the static routes, the end devices cannot reach the central networks 192.168.0.0/16.

    Rolf

  • 0 in reply to Nomics Klinikum

    Hello Dirk,

    below is a short excerpt from the transparent/split mode description.

    Only traffic destined for certain networks transmits down the tunnel. In this case, the RED does not act as the gateway, but it is in-line with the gateway and can transparently redirect packets down the tunnel.

    If this certain networks are the networks, which has to be configured as split-networks, it does not work.

    If it's not these certain networks, I wonder where I have to configure these certain networks.

    Rolf

  • 0 in reply to Nomics Klinikum

    Hello Dirk,

    I build up the lab again and checked it. Now it works, the problem was the configuration of the PC.

    Regards

    Rolf

Unfiltered HTML